Exchange 2007 Certificate with Split DNS
Home > IT Answers > Exchange > Exchange 2007 Certificate with Split DNS
RuthParish15
60 pts.
0
Q:
Exchange 2007 Certificate with Split DNS
Exchange 2007, Certificates, OWA, ActiveSync, AutoDiscover
I requested a UCC certificate from goDaddy listing domain names that include both our outward facing domain and our internal inward facing domain. We never registered the internal domain as it was just for inside our network.
GoDaddy is checking the ownership of both domains. They won’t issue the certificate with the inward domain names as we don’t own it. Will Exchange 2007 work when protected by a certificate that only lists our outside domain? We have what I believe is called Split DNS and actually have both domain names listed in our Forward and Reverse Lookup Zones.
Maybe I should keep the default certificate that Exchange 2007 automatically creates and only use the GoDaddy certificate for OWA, Autodiscover & ActiveSync? Would the new certificate request work for them? That would change our certificate request from:
cn=mobile.external.org, -DomainName autodiscover.external.org, castor.external.org, castor.internal.gov, autodiscover.internal.gov
to:
cn=mobile.external.org, -DomainName autodiscover.external.org, castor.external.org, castor

Castor=our Exchange 2007 Server
ASKED: Apr 27 2009  3:29 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Labnuke99
26290 pts.
0
A:
 RATE THIS ANSWER
+1
Click to Vote:
  •   1
  •  0
  • AddThis Social Bookmark Button
Either certificate will work - however, the issue is that the user will get a notification message when they go to the page referred to by the "untrusted" name. So, if the GoDaddy cert is used and the user visits the internal.gov address, they will get prompted that the certificate is bad. The traffic will still be encrypted between client and server. It's a matter of the user understanding the implication of clicking through the certificate error message.
Last Answered: Apr 27 2009  3:33 PM GMT by Labnuke99   26290 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RuthParish15   60 pts.  |   Apr 27 2009  4:02PM GMT

So, is there any point to buy a certificate from a trusted authority rather than creating one internally?

 

Troy Tate   0 pts.  |   Apr 27 2009  6:38PM GMT

Yes - to take away the issue of TRUST that accepting a “bad” certificate error will create. If you train your users to always accept this certificate trusting that the destination server is who it says it is, what is there to say they won’t accept a certificate from a spoofed or phishing site that steals their credentials or identity? I know some say that best practice is to have a .local domain inside and another domain outside of the firewall, but this does complicate matters when looking at things like this certificate issue. Check out my blog posting Certificates - who do YOU trust?

In the IT trenches? So am I - read my IT-Trenches blog

 
0